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1- Introduction 

1.1 Complex space-based systems need constant monitoring 

Some complex space-based systems require constant monitoring — parameters, 
configuration, and component condition changes with time. Current operational 
practice often requires human operators to scan telemetry, watching for deviations 
from expected performance. In real-time, large-scale applications this often proves 
expensive, since many operators are required given the data processing limitations of 
humans. By automating some or most of the fault detection and isolation, recovery, 
and control of these dynamic systems, the need for direct human intervention may be 
reduced. 

The objective of the Systems Autonomy Demonstration Project (SADP) was to develop 
and validate a knowledge-based system for real-time control and fault detection, 
isolation and recovery (FDIR) of a complex prototype space subsystem. This two- 
volume report describes the technical and programmatic results of SADP, which was a 
joint effort between NASA’s Ames Research Center (ARC) and Johnson Space Center 
(JSC). In addition to the significant technical challenges of SADP, cultural differences 
between the operationally-oriented JSC organization and the research-oriented ARC 
organization had to be overcome before artificial intelligence software could be 
integrated with a live testbed. 

A prototype thermal control system, or thermal bus, for the Space Station Freedom 
(SSF) was selected as a representative system for a symbolic control application, the 
Thermal Expert System (TEXSYS). In the course of TEXSYS development, ARC 
created the expert system and operator interface software, while JSC was responsible 
for data acquisition and control software, providing thermal expertise, and testbed 
operations. At ARC, a thermal brassboard originally built by Sundstrand Aviation for 
KC-135 zero-gravity tests was employed for TEXSYS development and 
demonstrations. The thermal bus used for TEXSYS tests at JSC was the Boeing 
Aerospace Thermal Bus System (BATBS) resident at JSC. Both thermal systems 
followed the same Sundstrand design - a complex, self-balancing system, described 
by many independent parameters. The nonlinearity of this particular thermal bus 
architecture has thus far made conventional dynamic numerical simulation infeasible. 
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1.2 Potential safety and cost improvements achieved by automating 

The patient analysis required to detect very low frequency anomalies is a task that 
human beings dislike and perform poorly. Unlike expert systems, human operators 
may become inattentive, fatigued, or need to attend to bodily functions. Automated 
trend analysis may detect slow degradation and other incipient failures before they 
impact mission performance or exceed safety limits. Given continuous monitoring of 
manned space systems, cost savings may also be realized by automating the 
mundane monitoring and troubleshooting tasks -- thereby freeing crew time and 
reducing the level of required ground staffing. 

2. Project Goats 

2.1 Technical Goals: Real-time knowledge-based control 

The objective of the Systems Autonomy Demonstration Project was to develop and 
validate a knowledge-based system for real-time control and fault detection, isolation 
and recovery (FDIR) of a complex space subsystem. The software thus developed was 
to be capable of diagnosis of all major thermal bus failure modes, and had to exhibit 
real-time nominal control as well as real-time correction of at least a few failures. A 
prototype thermal control system, or thermal bus, for Space Station Freedom was 
selected as a representative system and the TEXSYS (Thermal Expert System) was 
created. 

2.2 Institutional Goals 

From the initial 1986 SADP Project Plan [i]: 

The broad objectives of this demonstration project were to provide: 

Technical base of in-house personnel and development tools to facilitate Al technology 
transfer. 

Technology focus for Automation research and development in support of NASA's space 
programs. 

Means for validation and demonstration of Automation technology prior to transfer to Agency 
programs. 

Credibility of Automation technology within NASA. 

Credibility of NASA Al expertise to the outside Al community.” 

A specific objective of this project was to provide: 
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“A technology demonstration to establish automation requirements of systems operations 
techniques for TCS [Thermal Control System] configuration monitoring, systems status, 
fault identification/ isolation/ diagnosis, and reconfiguration." 

3. SAPP Organization: geographically diffuse 

The project was a joint effort of four divisions at two NASA centers. Project 
management, the expert system development, and initial TEXSYS testing with the 
Sundstrand thermal brassboard were all conducted by the Information Sciences 
Division at ARC. The Aerospace Human Factors Division at Ames designed the 
Human Interface to TEXSYS (HITEX). Domain expertise, the thermal bus and control 
systems were provided by the Crew and Thermal Systems Division at JSC. The 
Systems Development and Simulation Division at JSC built the TEXSYS Data 
Acquisition System (TDAS) and managed the systems integration and testing effort at 
JSC. Funding was provided through FY88 for early work on a combined Power- 
Thermal demonstration scheduled to follow the standalone TEXSYS demonstration. 
Towards this end, the Automation Power Expert (APEX) system at NASA-Lewis 
Research Center was begun under the auspices of the SADP, but was later separated 
into an independent effort. 

4. Technical Approach 

4.1 Hardware: two-phase thermal bus 

The Boeing Aerospace Thermal Bus System (BATBS), targeted in the final TEXSYS 
demonstration at JSC, is the baseline thermal architecture for the SSF external 
thermal bus. This thermal bus consists of 5 major component types - evaporators, 
which collect heat by evaporation of ammonia; condensers, which reject heat to the 
radiators by ammonia condensation; a Rotary Fluid Management Device (RFMD), 
which acts as a zero-gravity pump; a Back Pressure Regulating Valve (BPRV), which 
controls the temperature of the bus; and an accumulator, which acts as a reservoir of 
vapor and fluid. The bus is instrumented with 86 temperature sensors, 9 pressure 
sensors, 13 delta pressure sensors, 8 flowmeters, 2 accumulator position sensors, 16 
solenoid valves, a RFMD power sensor, a RFMD speed sensor, and a position 
indicator for the BPRV. Also provided are 30 calculated parameters such as heat load 
applied to the evaporators. A commercial automated control package (FLEXCON, 
from GeoControl Systems, Inc.) is used in the Thermal Test Bed at JSC and is 
attached to the bus to provide data acquisition, limited automated control and manual 
controls. The Sundstrand thermal brassboard used at ARC was a smaller version of 
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the BATBS with fewer heat exchangers. This kind of test bed proved an excellent 
environment for the TEXSYS project, providing a real-time electromechanical system 
of tractable complexity, a variety of sensors similar to flight hardware and a controlled 
test environment. 

4.2 Multi-processor architecture 

The TEXSYS system consists of three main components: the thermal expert system 
(TEXSYS), a human interface to TEXSYS (HITEX) and a data acquisition system 
attached to the automated control package. The TEXSYS architecture is shown in 
Figure 1 . 

TEXSYS communicates with the users through HITEX, which was designed for use 
by thermal engineers. HITEX provides a variety of textual and graphical displays to 
observe the state of the thermal bus and the expert system, and is used for 
demonstrating possible flight system operator interface capabilities. It presents this 
information on two user configurable monitors, with a keyboard and mouse shared 
between them. A monochrome graphics monitor reports on the expert system, showing 
information such as the currently active tasks, faults diagnosed, instructions to the 
user and explanations. This monitor is also the place where user input to the expert 
system is made via the mouse or keyboard. A color graphics monitor is used to 
display the state of the thermal bus in several different ways. Each monitor screen is 
divisible into multiple tiled windows and includes a fixed menu of icons used to initiate 
actions. Configuration of the screens is made from a series of pop-up menus and 
type-in windows triggered by mouse clicks on menu icons. 

As was shown in Figure 1, the TEXSYS and HITEX systems are linked to the control 
system of the bus by the TEXSYS Data Acquisition System (TDAS) [ 2 ]. The prototype 
TDAS was created in 1986-87 by Lawrence Livermore National Laboratory (LDAS), 
and was used at A RC with the Sundstrand brassboard. The current TDAS was written 
by the Systems Development and Simulation Division at JSC. 

TEXSYS supplies TDAS with lists of sensors whose values are of current interest to 
TEXSYS and HITEX. To reduce the amount of data to be processed, each sensor 
has associated with itself a set of deadbands and significance limits on TDAS. TDAS 
scans the data from the FLEXCON-based Data Acquisition and Control System 
(DACS) database at each update, in this case every five seconds, and calculates the 
trend and long term trends of the analog readings. Comparing current and previous 
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Figure 1 . Thermal Expert System (TEXSYS) Architecture. 








sensor values against the defined deadbands, significance limits, and alarm values, 
only significant sensor values are flagged to be sent to TEXSYS and HITEX. When 
no alarm values are violated, the significant data are forwarded after TDAS is polled; 
alarm violations are reported asynchronously to TEXSYS. TEXSYS can change the 
list of sensor readings examined and all sensor-associated limits. 

4.3 Online model-based reasoning 

The expert system was built using two software toolkits created by ARC. The Model 
ToolKit (MTK) was built to allow the rapid construction of qualitative models of 
physical systems. [3, 4] It features an object-oriented graphical interface to allow 
models to be built by selecting items from libraries and connecting them using a 
mouse. The Executive ToolKit (XTK) is a task language with constructs that allow 
symbolic processes to interact with low-level data acquisition and control 
processes. [5] 

Rules for the propagation of sensor readings and data values, and the conversion of 
these to qualitative values, are included in the classes of component objects and are 
compiled by MTK into active values (daemons) before run time to enhance 
performance. In addition, a consistency-based diagnosis approach, using an 
assumption-based truth maintenance system (ATMS), is employed when inconsistent 
sensor readings are detected. Hypothetical worlds [globally-consistent belief sets] 
are generated corresponding to each candidate fault set. These fault candidates are 
obtained in a manner similar to that of de Kleer and Williams’s General Diagnostic 
Engine (GDE) approach [6]. An assumption-based truth maintenance system (ATMS) 
[7] is used in TEXSYS to keep track of the chain of downstream facts which are 
justified by a given sensor reading. When a new reading arrives, the ATMS marks this 
previous chain as disbelieved, followed then by propagation and qualitative 
translations of the new reading in the model to generate a new chain of facts within the 
ATMS. TEXSYS marks the first time that consistency-based diagnosis and an 
assumption-based truth maintenance system have been used extensively in a 
realtime online controller application [4,8]. 

Rather than waiting for observations of future behavior to resolve ambiguous 
evidence, consideration of the thermal bus’s past path in qualitative state space can 
be used to isolate faults. In MTK, this is implemented as a historian, which keeps a 
timestamped stack of the last five qualitative states for all parameters to which it was 
attached. Temporal reasoning on about ten percent of the model's parameters 
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provided sufficient information to distinguish all known fault modes with minimal 
additional overhead. 

4.4 Procedural task execution 

XTK includes a language for building tasks that are initiated by the expert system to 
carry out control and other actions on the system being monitored. Tasks are initiated 
in the expert system by establishing goals to be satisfied by the XTK tasks. Backward- 
chaining then causes the task or tasks needed to satisfy the goal to be started. The 
tasks that are written using XTK cannot be modified at run-time, but do have looping 
and branching conditionals and the ability to query the knowledge base, allowing the 
tasks to have a predefined range of responses to changing conditions. 

5. Obstacles Overcome 

5.1 Thermal bus hardware: target shifts, evolution 

The development of TEXSYS was begun without the availability of most specific 
target system expertise. The three thermal bus testbeds at JSC evolved in parallel with 
TEXSYS software development. Because it was expected from the beginning that the 
thermal bus hardware design would vary during the course of software development, 
it was decided to adopt a device-centered approach to modeling in TEXSYS. For 
instance, the behavior of basic components such as filters and valves could be 
easily specified prior to knowledge of overall bus behavior. This device-centered 
approach was implemented easily as an object-oriented system, using a library of 
components to build schematic-like models. These models contained multiple 
instances of components, e.g., many individual solenoid valves. As the 
characteristics of two-phase thermal bus components became better known, the 
prototypical or parent-class definitions of given components were edited to reflect 
new knowledge, without explicitly altering the models -- a flexibility not found in 
unstructured Al approaches without inheritance, such as production systems. 

In addition to parallel thermal hardware evolution, TEXSYS software development 
had to adapt to several changes in the identity of the thermal testbed targeted for 
delivery. Initial TEXSYS prototypes modelled portions of the then-planned Grumman 
thermal bus design. Subsequent changes in the targeted testbed were from a small- 
scale Grumman thermal brassboard to the Sundstrand thermal brassboard, and the 
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(similar) BATBS. This “moving target” problem itself demonstrated the value of a 
toolkit for rapid model editing -- the Model Toolkit, or MTK. 

MTK’s easy model modification capability allowed TEXSYS designers: (a) to reuse a 
high proportion of the knowledge base developed for the original target testbed in 
building later models of other testbed designs, and (b) during online testing with the 
BATBS, to modify the model to reflect a physically-removed valve -- in five minutes, 
compared with several days to modify and debug conventional procedural software 
(i.e., the DACS). 

5.2 Ai software performance 

Initial TEXSYS prototypes used an ATMS together with interpreted forward-chaining, 
breadth-first KEE rules for propagation within the model as well as for matching faults. 
The first tests of TEXSYS with the Sundstrand thermal brassboard model in July 1988 
consumed roughly three hours per update cycle -- orders of magnitude slower than 
required - given just four new sensor readings per cycle. 

This led to the design of a rule compiler (written by John Nienart) in which all rules 
were transformed into small compiled Lisp functions attached to locations in the 
model. Using this compilation approach, the comparable update cycle time for 
TEXSYS was reduced to about ten seconds -- thereby achieving r eal- time 
performance levels for the thermal bus domain. Without this performance 
improvement, no realtime control would have been possible for TEXSYS. 

Even with the rule compiler in use, voluminous data updates associated with BATBS 
startup tended to slow TEXSYS to about 30-45 seconds/cycle. Furthermore, certain 
control actions during startup required faster-than-usual TEXSYS performance. In this 
case, performance requirements were met by widening the TDAS update deadbands 
for all non-startup-critical sensors to large values, effectively filtering out updates from 
these non-critical sensors during startup. Certain time-critical valve sequencing 
functions during startup were implemented as separate, subsidiary closed-loop 
controllers (written in the XTK language). 

5.3 Hypothetical reasoning slowness 

During TEXSYS development tests at ARC with the Sundstrand thermal brassboard, it 
was noticed that occasionally some faults induced symptoms which were not 
significantly different than those induced by other known faults. One initial approach 
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discussed to resolving this fault mode ambiguity was to carry forward multiple 
candidate sets of faults as separate candidate worlds, and to then wait for future 
snapshots of bus behavior to hopefully confirm one world as reality. However, it was 
found that model update times rose linearly with the number of existing worlds. Given 
that TEXSYS’s normal cycle time was about twenty seconds with only a single 
baseline world, and given an imposed cycle-time ceiling of one minute, the 
competing-hypotheses approach to ambiguous faults was not feasible without 
replacing the worlds and truth-maintenance systems with a more efficient non- 
commercial implementation - at a late stage of TEXSYS development. Therefore, 

ARC researchers created a hybrid rule- and model-based approach. 

It was necessary in this hybrid approach to reduce the reliance on consistency-based 
diagnosis for trapping all faults, except for bad sensors and previously-unknown or 
unforeseen faults. The KEE ATMS was then typically used only as a justification- 
based TMS except for these sensor conflict and unexpected faults. In retrospect, it is 
not likely that a solely model-based approach could have replaced all rule-based 
reasoning in this domain, even with much faster computers, given the existence of 
highly nonlinear, heuristically-modelled components in the BATBS model. 

6. Project Course 

The expert system and human interface software were developed as prototypes of 
increasing capability and complexity over a period of 18 months. Given a dearth of 
detailed thermal bus knowledge, software development was focussed during this time 
on implementing basic reasoning and modelling techniques in the MTK and XTK 
toolkits. Each successive prototype of the expert system and human interface was 
refined based on comments from human factors scientists at ARC and the thermal bus 
experts and users at JSC. The first several prototypes demonstrated were standalone 
systems and were not attached to any hardware. These prototypes were used to 
validate the basic thermal knowledge obtained from the experts, to educate the users 
as to the capabilities of expert systems and to explore some human interface design 
concepts. Later prototypes were tested with LDAS and the Sundstrand thermal 
brassboard at ARC. 

These ARC brassboard tests were used to validate the basic TEXSYS design, 
discover any gross gaps in thermal bus knowledge, resolve timing problems, and 
verify proper control of the thermal bus. Demonstrations of prototype versions of 
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TEXSYS with the Sundstrand brassboard were given to NASA Administrator James 
Fletcher (September 1988) and to Associate Administrator of the Office of Space 
Station (OSS) Jim Odum (November 1988). 

After delivery to JSC of the BATBS hardware, a set of tests was run by the domain 
experts to examine the operation of the bus and evaluate it for use on the space 
station. Fabrication delays in the delivery of the Grumman brassboard hardware 
forced a switch to the BATBS design in the spring of 1988. The operational 
experience gained by the experts from the BATBS tests was then used to generate 
three documents for use in creating the operational TEXSYS: a physical description 
of the bus and its general behavior; a nominal operations document that explained all 
procedures for operations such as startup, shutdown and setpoint change; and a fault 
diagnosis and recovery procedures document that characterized known BATBS 
faults. Together with hands-on tests with the Sundstrand brassboard, these three 
documents formed the basis for the ARC-developed knowledge base. The ARC staff 
then spent six months developing and testing the TEXSYS knowledge base, which 
was delivered to JSC in February, 1 989. ARC technical staff were then posted to 
JSC on a continuous, rotating basis until the final JSC demonstration in August, 1 989. 

A group of JSC staff meanwhile drafted a plan for the integration and testing of the 
TEXS YS/H ITEX/TD AS system after delivery from ARC. Following the outline in this 
test plan, several weeks of testing was performed to check connectivity between the 
various subsystems. The next set of tests was performed at JSC by engineers from 
both NASA centers, using recorded data from the earlier BATBS fault injection tests. 
These tests used the playback of data for a particular nominal operation or fault to 
validate the TEXSYS model and its diagnostics for that operation or fault. This was 
the first comprehensive testing of the knowledge bases with real data from the BATBS, 
and it required six weeks, through mid-July, 1989. 

Finally, another six weeks of testing was performed, with the entire TEXSYS system 
online with the live BATBS at JSC. This testing involved two shifts of operations and 
methodically worked through the nominal operations and faults covered by the expert 
system. Many revisions to the knowledge base and operations tasks were made as 
more experience with the bus was gained. For example, it was found that for the 
BPRV failure fault, the time lag between fault injection, appearance of initial symptoms 
and appearance of symptoms that allow the differentiation and isolation of the fault 
was much shorter than initially anticipated, as the bus was more stable than had been 


10 


predicted by earlier tests. The software systems were frozen at the end of this testing 
period. The final TEXSYS system in September, 1989, contained 340 rules and over 
3400 frames in the model, and 146 tasks for recovery and nominal control. 

After the online testing was completed, a two week formal test and demonstration was 
conducted in late August, 1989. All of the nominal operations and fault procedures 
were successfully performed. These were extensively documented with screen 
hardcopies and printouts of justifications of fault diagnoses (see Appendix A). In 
addition, formal briefings and demonstrations were given for senior NASA 
management of ARC and JSC, and for key Space Station Freedom managers (Level I 
and II) and Work Package 2 contractors in the thermal and automation groups. 

7. Final Demonstration Results at JSC 

In tests run with the BATBS at the NASA Johnson Space Center in August, 1989, 
TEXSYS successfully performed real-time monitoring and control (such as valve 
actuation) during all nominal modes of operation such as startup and setpoint 
changes. TEXSYS successfully noticed and reacted to all of the required seventeen 
BATBS faults shown in Figure 2. Multiple faults were often encountered -- the 
TEXSYS architecture proved to be capable of recognizing multiple independent 
faults, both in parallel and serially. Unplanned faults were also demonstrated, such as 
a shorting solenoid valve which was noticed due to a conflict in local temperatures 
caused by its radiated excess heat. Since any given system-level fault can be 
induced by any of several component faults, and only about a third of these known 
component faults were included in the formal demonstration, unplanned component 
faults were fairly common. In these cases, TEXSYS identified the system-level fault 
even when it didn’t recognize the component fault causing the problem. During these 
tests, TEXSYS update cycle times were about 10-30 seconds, but varied between 
five seconds to about a minute, depending on the quantity of data updated in a given 
cycle. When sensor conflicts caused hypothetical worlds to be created, the latter 
duration could stretch to several minutes, thereby violating user requirements. 

An example of a system and component-level fault is given in Figure 3, in which a 
stuck-closed valve (component fault mode) causes the total flow through the 
evaporators (BFM701) to drop abnormally (system fault mode) and the downstream 
heat exchanger temperature (BTC005) to rise due to lack of fluid. TEXSYS noted the 
drop in flow immediately and advised the operator. After BTC005 rose beyond the 
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expected range for the current heat load, TEXSYS notified the operator of a possible 
blockage fault, and toggled the isolation valve to confirm the fault. Toggling the valve 
restored normal flow, indicating a previously-stuck valve. 

7.1 Gradual Acceptance by Users 

Given significant mistrust of Al techniques by the thermal engineers, initial TEXSYS 
online tests were conducted with all control actions subject to operator approval. As 
user confidence in the software increased, they gradually allowed TEXSYS direct 
control of the BATBS. After a month of online testing with the BATBS, it was noticed 
that the thermal engineers were comfortable with taking their attention away from their 
telemetry displays when they knew that TEXSYS was on line (e.g., informal 
discussions, taking bathroom breaks, etc.), leaving only an operator at the human 
interface console and a technician by the BATBS kill switch. The thermal engineers 
consider TEXSYS to be a significant improvement over their previous fault detection 
and data display capability, but criticize its occasional slowdowns (usually due to 
worlds processing). Faster computers and further code rewrites would have helped 
these slowdowns. 

7.2 Model-Based Benefits Shown 

In addition to simplifying and reducing the number of rules needed for fault recognition 
(only 340 rules in 190,000 total lines of code), the use of a device-oriented model- 
based approach in TEXSYS allowed prototyping to begin over a year before a target 
thermal bus design was selected. Conversion from the (original) Grumman thermal bus 
design to the thermal brassboard and the BATBS simply required the addition of some 
classes of specialized hardware to the component library, e.g., pitot pumps in addition 
to ordinary vane pumps. Rules referring only to components and fault modes common 
to all thermal busses were reused, reducing development effort. 

Another benefit of the device-oriented modelling approach was the ability to edit the 
arrangement of components in the model, to follow repairs or damage, without 
changing the fault recognition rules or altering the conflict resolution system software. 
When a broken valve was replaced with a length of pipe during testing, this capability 
allowed TEXSYS to be brought offline, the corresponding model component removed, 
the ATMS reinitialized, and TEXSYS brought back online in about twenty minutes. In 
comparison, according to the thermal engineers, the same change made to the 
Fortran-based DACS would have taken at least four days. Finally, a model-based 
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approach was found to ease knowledge acquisition, as non-Lisp-versant thermal 
engineers could reason in terms of device interactions in a schematic representation 
more easily than they could debug complex rules. 

7.3 Benefits of Hands-on Brassboard Testing 

Early hands-on experience with thermal bus hardware in a research environment (the 
Sundstrand brassboard) at ARC was also beneficial. Total running time of the 
brassboard at ARC actually exceeded that of the BATBS during later testing at JSC. 
Early problems with online diagnosis of brassboard failures pushed MTK 
improvements and knowledge base refinements, and most timing issues during 
thermal bus startup and shutdown were resolved in brassboard tests. Unexpected 
failures, lack of consistent performance, and unmodeled nonlinearities were all 
features of the brassboard. If instead a simulation had been employed at ARC during 
software development, it is unlikely that these problems would have been discovered 
or addressed until software field deployment at JSC. 

7.4 Organizational impact and follow-on activities 

The TEXSYS program was a proof-of-concept with respect to the use of model-based 
symbolic control in a real-time environment. While it was a successful demonstration, 
its software and hardware were predominantly Lisp-based and hence are presently 
unsuitable for SSF onboard use. The model-based control approach (of which 
TEXSYS is an example) is now being used by the SSF Work Package 2 prime 
contractor to create a thermal bus control successor to TEXSYS, which will function 
in the SSF onboard computing environment (Ada software in a Unix-based 
environment, running on parallel Intel 80386-based computers) [9]. By demonstrating 
that Al techniques can be reliably used to monitor and control complex space 
subsystems such as the BATBS, the TEXSYS project has made NASA management 
and thermal engineers more willing to consider the future use of Al techniques in 
Space Station Freedom and Lunar/Mars mission thermal control software. 

Development of a similar knowledge-based system is now underway for Space 
Station Freedom power distribution and is being considered for planned closed-loop 
life support systems. The model-based approach developed for TEXSYS and the XTK 
toolkit are being used for development of a life support design workstation [io]. 
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8. Summary 


The success of the hierarchical symbolic model-based control approach taken in 
TEXSYS demonstrates that a layered symbolic controller can be used to 
successfully control complex hardware in real time. The use of qualitative model- 
based and temporal reasoning in TEXSYS is one of the first applications of these 
techniques to online, real-time process control. TEXSYS successfully makes use of 
an incomplete causal model and identifies multiple independent faults with it. 

It is too soon to say if the TEXSYS demonstrations will ultimately lead to a spaceborne 
diagnostic system, but they show that Al techniques can be effectively applied to 
real-time control of large electromechanical systems, such as those planned as part of 
Space Station Freedom and future lunar and Mars bases. A generic, component- 
oriented modelling approach is recommended in order to follow dynamic hardware 
configurations. A component-oriented rather than a system-oriented approach can 
avoid much rewriting of rules when components are rearranged in a device, as often 
happens during repairs, upgrades, and design changes of complex mechanisms. The 
operational success of TEXSYS demonstrates that a range of techniques (model- 
based and qualitative reasoning, classification systems, frame-based 
representations, temporal reasoning, and procedural reasoning) can be used 
together to control and diagnose faults in certain relevant electromechanical systems 
in real time. Given their success in the TEXSYS demonstration, the model-based 
symbolic control methods used are a promising general approach to the automation of 
the monitoring and control of manned spacecraft subsystems. 

The payoff of this automation is threefold: increased likelihood of mission success, or 
improved robustness; reduced operations costs; and, increased crew scientific 
productivity. Given automated monitoring and control as shown in the TEXSYS 
demonstrations, incipient and time-dependent faults can be automatically detected 
and warnings issued to crew or corrective action taken prior to catastrophic failures. 
This automated monitoring capability should also reduce the burden on human 
subsystem monitoring and thence reduce recurring mission operations costs. Finally, 
the automation of routine subsystem housekeeping functions will reduce their share of 
crew work schedules, thus freeing crew members for more intrinsically useful 
activities. 
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9. Notes on Volume Two and Appendices 


In contrast with the overview given in this volume, the testing of TEXSYS with the 
BATBS hardware and the design and use of SADP software are discussed in detail in 
Volume Two and Appendices A and B, respectively. Volume Two and Appendix A 
were written by the Crew and Thermal Systems Division at JSC as their final TEXSYS 
test report. Appendix B is a collection of TEXSYS software design documents and 
toolkit user guides, written by the software developers at ARC and JSC over the past 
eighteen months. Given the disparate sources, the format and style varies between 
documents. 

10. References 

[1] Bull, J.S., System Autonomy Demonstration of Thermal Control System for Space 

Station , Information Sciences Division, NASA-Ames Research Center, Moffett 
Field, CA, December, 1986. 

[2] Hack, E.H., and DeFilippo, D. “Demonstrating Artificial Intelligence for Space 

Systems: Integration and Project Management Issues," Sixth IEEE Conference 
on Artificial Intelligence Applications (CAIA-90), Santa Barbara, CA, March, 
1990. 

[3] Erickson, W.K., and Rudokas, M.R., “MTK - An Al Tool for Model-Based 

Reasoning,” Third Conference on Artificial Intelligence for Space Applications, 
Part II, NASA CP-2492, Huntsville, AL, Nov. 1987, pp. 1-5. 

[4] Glass, B.J., Erickson, W.K., and Swanson, K.J., “TEXSYS: A Large-Scale 

Demonstration of Model-Based Real-Time Control of a Space Station 
Subsystem,” Proc. Seventh IEEE Conference on Al Applications, Miami Beach, 
FL, February 1991. 

[5] Levinson, R., “Autonomous prediction and reaction with dynamic deadlines,” Proc. 

AAAI Spring Symposium, Stanford, CA, March, 1990. 

[6] de Kleer, J., and Williams, B. C., "Diagnosing multiple faults," Artificial Intelligence, 

Vol.32, No.1 , 1987, pp.97-130. 

[7] de Kleer, J., "Back to backtracking: controlling the ATMS," Fifth National 

Conference on Artificial Intelligence (AAAI-86), Philadelphia, PA, 1986. 

[8] Glass, B.J., and Wong, C.M., “A Knowledge-Based Approach to Identification and 

Adaptation in Dynamical Systems Control," Proc. of the 27th IEEE Conference 
on Decision and Control, Austin, TX, December, 1988, pp. 881-886. 


17 


[9] T. Hill, W. Morris, R. Boyer, "Thermal Control System Automation Project (TCSAP) 

Interim Report", JSC 25448, MDC 91 HOI 242, December 1991. 

[10] Cantwell, E.R.,Shenk, T„ Robinson, P. and Upadhye, R.S., “Automated simulation 

as part of a design workstation,” Twentieth International Conference on 
Environmental Systems (ICES-90), Williamsburg, VA, July, 1990. 


18 



REPORT DOCUMENTATION PAGE 


Form Approved 
OMB No. 0704-0168 


Public reporting burdan (of thi* collodion of ln(ofm«tioo is «timat«d to ivmg* 1 hour par rwponM, Inducting the tim» lor •***£"8 

aathefino and maintaining tha data naadad, and complating and raviawing tha collactlon of Information. Sand commanta ragarding W» burdan aatimata or toy °th»r 
coilaction conformation, Including auggaatlona for reducing thia bordan, to Waahington Haadquartara Sarvicaa Djactorata tor m^C20K» J ” 
Davit Highway Suita 1204, Arlington. VA 22202-4302, and to tha Offica of Managamant and Budgat. Paparwork Haducbon Projact (0704-01 88) . Waahington. DC 20503 


1. AGENCY USE ONLY (Laava blank) 


2. REPORT DATE 

October 1992 


3. REPORT TYPE AND DATES COVERED 

Technical Memorandum 


4. TITLE AND SUBTITLE 


Thermal Expert System (TEXSYS) Final Report— Systems Autonomy 
Demonstration Project. Volume 1 — Overview 


«. AUTHOR(S) 


B. J. Glass, Editor 


5. FUNDING NUMBERS 


549-03-11 


7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 

Ames Research Center 
Moffett Field, CA 94035-1000 


S. PERFORMING ORGANIZATION 
REPORT NUMBER 


A-90319 


9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 

National Aeronautics and Space Administration 
Washington, DC 20546-0001 


10. SPONSORING/MONITORING 
AGENCY REPORT NUMBER 


NASA TM- 102877 


11. SUPPLEMENTARY NOTES 

Point of Contact: Brian J. Glass, Ames Research Center, MS 244-18, Moffett Field, CA 94035-1000; 
(415) 604-3379 


12*. DISTRIBUTION/AVAILABILITY STATEMENT 


12b. DISTRIBUTION CODE 


Unclassified — Unlimited 
Subject Category 17 


13. ABSTRACT (Maximum 200 words) 

The Systems Autonomy Demonstration Project (SADP) produced a knowledge-based real-time control 
system for control and fault detection, isolation, and recovery (FDIR) of a prototype two-phase Space Station 
Freedom external active thermal control system (EATCS). TTie Thermal Expert System (TEXSYS) was demon- 
strated in recent tests to be capable of reliable fault anticipation and detection, as well as ordinary control of the 
thermal bus. Performance requirements were addressed by adopting a hierarchical symbolic control approach 
layering model-based expert system software on a conventional, numerical data acquisition and control system. 
The model-based reasoning capabilities of TEXSYS were shown to be advantageous over typical rule-based 
expert systems, particularly for detection of unforeseen faults and sensor failures. 

Volume 1 gives a project overview and testing highlights. Volume 2 provides detail on the EATCS testbed, 
test operations, and online test results. Appendix A is a test archive, while Appendix B is a compendium of 
design and user manuals for the TEXSYS software. 


14. SUBJECT TERMS 

Artificial intelligence, Symbolic controls, Thermal control systems, Automation, 
Graphical user interfaces, Fault diagnosis, Space Station Freedom 

15. NUMBER OF PAGES 

19 

16. PRICE CODE 

A02 

17. SECURITY CLASSIFICATION 
OF REPORT 

Unclassified 

18. SECURITY CLASSIFICATION 
OF THIS PAGE 

Unclassified 

19. SECURITY CLASSIFICATION 
OF ABSTRACT 

20. LIMITATION OF ABSTRACT 


Standard Form 298 (Rev. 2-89) 

Prescribed by ANSI Std Z30-1B 


NSN 7540-01-200-5500 













